Home United States USA — software After ‘WannaCrypt’ , should governments stockpile software vulnerabilities?

After ‘WannaCrypt’ , should governments stockpile software vulnerabilities?

212
0
SHARE

The “ WannaCrypt” malware has disrupted vital infrastructure in countries around the world., Security
The “WannaCrypt” malware has disrupted vital infrastructure in countries around the world. Vulnerabilities in commercially available software provide an easy way in for spy agencies and criminals to access adversary computer systems. I agree with that the refusal of US agencies to publicise vulnerabilities can be compared with the US armed forces losing a Tomahawk Cruise missile. There are circumstances where it could be that serious. Of course, our cyber intelligence agency, , may also be using vulnerabilities in software that Australian citizens rely on. So we need to ask the government about its policy in this regard. I doubt we will stop that practice in the current climate of global cyber escalation. But, in the medium term, Australia must commit to new “highly secure” systems instead of using inherently vulnerable software and machines. We must also commit to diplomatic agreement on the disclosure of vulnerabilities in commercially available systems. Countries with, like China and Russia, are vulnerable because patches sent by Microsoft to repair vulnerabilities only go to registered IP addresses with a licensed copy of the software. If a user has installed an unlicensed pirated version, they never get the patches. The Australian government needs to have a more mature conversation with its citizens about what is really going on in cyber space. So far we have not had it, even though the Turnbull government deserves credit for starting down that path with its. In an with widespread uptake of end-to-end encryption, that they cannot always disclose cyber security vulnerabilities. This is because they use to spy. But state-sponsored programs of cyber warfare go beyond stockpiling vulnerabilities. Countries are actively developing digital weapons to hack into, infect, monitor and disrupt computer systems. The, published by WikiLeaks in March, revealed both the extent of the Central Intelligence Agency’s hacking capabilities and its inability to keep them secure. An arsenal of malware, viruses, trojans and zero day exploits was taken and leaked. Now Wikileaks says it wants to address vulnerabilities and disarm these digital weapons. Yet, these could also or used for sinister purposes. Digital weapons can fall into the wrong hands. The consequences, , can be disastrous. Governments should be promoting cyber security rather than undermining it. Failing to disclose and address vulnerabilities weakens cybersecurity. There should also be limits on the development and deployment of digital weapons. It is time for a to protect the internet: the critical infrastructure and the citizens who depend on it. I’ ve that Western governments should be far more careful with their use and distribution of stockpiled vulnerabilities in commercial software. But I wouldn’ t hold my breath for it to happen. For better or worse, intelligence agencies seem to have persuaded governments that the intelligence they gain from exploiting such vulnerabilities outweighs the risks when those exploits leak. Whether they are right is something only historians will be able to answer, given the decades it will take for contemporary intelligence operations to be declassified. Even if Western intelligence agencies were required to cease stockpiling vulnerabilities and instead report them to vendors, their counterparts in Russian and Chinese intelligence agencies seem unlikely to follow suit. They face little domestic political pressure to behave ethically. Indeed, while the vulnerability used by the “WannaCrypt” ransomware is thought to have come originally from the National Security Agency, the public disclosure of the vulnerabilities to have been the work of the Russian intelligence services. Russian IT systems the most heavily affected by “WannaCrypt”. If the release was in fact the work of Russian intelligence, the blowback, in terms of inconvenience and expense for Russian companies and other branches of the Russian government, has been substantial. It was also foreseeable – and they did it anyway. While Microsoft’s call for governments to think harder about the real-world costs of their espionage techniques is admirable, it’s hard to imagine it actually happening any time soon.

Continue reading...